Skillv1.0.0

ClawScan security

Video To Text Transcription Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 2:20 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (cloud-based video → text transcription) aligns with its instructions and the single requested credential (NEMO_TOKEN), but it will upload user videos to an external, unknown API and has a small metadata inconsistency you should be aware of.
Guidance: This skill appears to do what it says: it uploads video files and uses a NEMO_TOKEN to call nemovideo's API for transcription and rendering. Before installing or using it: (1) Confirm you trust the external domain (mega-api-prod.nemovideo.ai) — your videos will be uploaded there; (2) Prefer letting the skill generate an anonymous token rather than entering a personal account token, since providing your NEMO_TOKEN may give it full access to your account; (3) Ask the publisher to clarify the configPath discrepancy (SKILL.md lists ~/.config/nemovideo/ while registry metadata did not) if you are concerned about local config reads; (4) Test with non-sensitive videos first and review the service's privacy/terms if you plan to process private data.

Review Dimensions

Purpose & Capability: okThe name/description describe cloud video transcription and the SKILL.md instructs the agent to obtain a token, create a session, upload video files, request transcriptions/rendering, and download outputs — all coherent with the claimed purpose. Requesting a NEMO_TOKEN is appropriate for an API-driven service.
Instruction Scope: noteInstructions require network calls to https://mega-api-prod.nemovideo.ai for auth, uploads, SSE and rendering; they explicitly instruct uploading user video files (or URLs) and storing session_id. This is expected for a cloud transcription service, but it does mean user content will be transmitted to a third party. The SKILL.md also references auto-detecting platform from an install path and a config path (~/.config/nemovideo/) in frontmatter — that could require reading local environment/install paths if implemented, though the runtime instructions do not otherwise require broad local file access.
Install Mechanism: okThere is no install specification and no code files (instruction-only), so nothing is written to disk by the skill itself. This minimizes install-time risk.
Credentials: noteOnly one credential (NEMO_TOKEN) is declared as primary, which is proportionate for accessing the described API. The skill can also create an anonymous token server-side if NEMO_TOKEN is not set, reducing the need for users to provide an account token. There is a minor inconsistency: the registry metadata shown at the top listed no required config paths, but the SKILL.md frontmatter includes a configPaths entry (~/.config/nemovideo/). That suggests the skill may expect or prefer reading a local config file in some implementations — clarify before giving a personal account token.
Persistence & Privilege: okalways:false (not force-included); user-invocable and allows autonomous invocation by default — standard for skills. The skill does not request permanent system presence or attempt to modify other skills or system-wide settings in the provided instructions.